Establish and implement contingency plans to respond to emergencies that damage systems containing ePHI
Ransomware, natural disasters, hardware failures, and other emergencies can render ePHI unavailable at the moment it is needed most for patient care. HIPAA requires covered entities to have contingency plans that ensure ePHI can be recovered and systems can operate in an emergency. This includes data backup, disaster recovery, emergency mode operation, and a plan for how critical applications will function during outages. A contingency plan that has never been tested is not a plan, it is a document.
Implementation steps
- 1
Implement data backup and recovery
Establish procedures to create and maintain retrievable, exact copies of ePHI. Define backup frequency, retention periods, and storage location (offsite or cloud-based to survive a physical disaster at the primary site). Test restores periodically to verify backups are valid and recovery procedures work. Document the backup schedule and test results.
aws-backup azure-backup veeam rubrik - 2
Develop a disaster recovery plan
Document procedures for recovering systems containing ePHI after a major failure or disaster. Define recovery time objectives (RTO) and recovery point objectives (RPO) for critical systems. Specify the steps to restore from backup, reconstitute systems, and validate data integrity. Assign roles and responsibilities for executing the plan.
confluence excel - 3
Define emergency mode operations
Establish procedures that allow critical business processes to continue during system outages. Define which ePHI access and operations are essential to patient care during an emergency and how they will be performed when primary systems are unavailable (e.g., paper-based downtime procedures, access to read-only backup systems). Ensure workforce knows what to do during a downtime event.
confluence - 4
Test and revise contingency plans
Regularly test contingency plans through tabletop exercises, partial failovers, or full disaster recovery drills. Document test results and findings. Update plans based on test outcomes, system changes, and lessons learned from real incidents. At minimum, review plans annually.
confluence jira - 5
Assess application and data criticality
Identify which applications and data are most critical to patient care and operations. Use this criticality assessment to prioritize recovery order in the disaster recovery plan and to justify the level of backup and redundancy investment for each system.
confluence excel
Evidence required
Data backup configuration and test records
Evidence that ePHI is backed up and recoverable.
- - Backup schedule and configuration
- - Restore test results
- - Offsite storage confirmation
Disaster recovery plan
Documented procedures for recovering ePHI systems after a disaster.
- - Disaster recovery plan document
- - RTO/RPO definitions per system
Contingency plan testing records
Evidence that contingency plans have been tested.
- - Tabletop exercise notes
- - DR drill results
- - Plan revision history
Related controls
Implement a security management process to prevent, detect, contain, and correct security violations
Security Management Process
Designate a security official responsible for developing and implementing security policies and procedures
Assigned Security Responsibility
Implement procedures to ensure workforce members have appropriate access to ePHI and prevent unauthorized access
Workforce Security
Implement policies and procedures for authorizing access to ePHI
Information Access Management